Writing Secure PHP Applications

Writing Secure PHP Applications Chris Cornutt SFPHP 2013 @enygma 1
Wednesday, August 21, 2013

Hi, I’m Chris Mashery Development Manager, Dallas Security Advocate PHPDeveloper.org
@enygma ...and other stuff 2 Wednesday, August 21, 2013

Secure development is broken. Let’s ﬁx that... 3 Wednesday, August
21, 2013

SQL injection is ten years old. XSS is eleven years
old. why are they still a problem? 4 Wednesday, August 21, 2013

5 Wednesday, August 21, 2013

WhiteHatSec Report OWASP Top 10 SANS 25 6 Wednesday, August
21, 2013

We need to ﬁx [insert exploit name here] 7 Wednesday,
August 21, 2013

WRONG 8 Wednesday, August 21, 2013

Build security in from the start 9 Wednesday, August 21,
2013

Make it work vs make it secure 10 Wednesday, August
21, 2013

Make it work securely 11 Wednesday, August 21, 2013

How could this break? 12 Wednesday, August 21, 2013

A Good Approach is... 13 Wednesday, August 21, 2013

Security Standards 14 Wednesday, August 21, 2013

Security Standards Security Testing 15 Wednesday, August 21, 2013

Security Standards Security Testing Threat Modeling 16 Wednesday, August 21,
2013

Security Standards Security Testing Threat Modeling Secure Architecture 17 Wednesday,
August 21, 2013

Reduce Attack Surface 18 Wednesday, August 21, 2013

Effective Auditing & Logging 19 Wednesday, August 21, 2013

Simple > Complex 20 Wednesday, August 21, 2013

Obscurity !== Security 21 Wednesday, August 21, 2013

Defense in Depth 22 Wednesday, August 21, 2013

And now, the speciﬁcs... 23 Wednesday, August 21, 2013

Input validation <?php /* Using built-in */ is_numeric(‘1234’); // true
ctype_digit(‘1234’); // false filter_var(‘invalid.email.com’, FILTER_VALID_EMAIL); // false /* Using 3rd party */ use Respect\Validation\Validator as v; $validator = v::alnum->noWhitespace->length(1,15); var_dump($validator->validate(‘thisisatest’); // true ?> https://github.com/Respect/Validation 24 Wednesday, August 21, 2013

Output escaping <?php /* Using built-in */ htmlspcialchars(‘<script>...</script>’); htmlspecialchars(‘’, ENT_QUOTES,
‘UTF-8’); // UTF-7 filter_var(‘invalid.email.com’, FILTER_VALID_EMAIL); // false /* Using 3rd party */ use Zend\Escaper\Escaper; $twig->render(‘...’); // escapes by default, but... ?> Don’t forget the context...especially if there’s multiple! 25 Wednesday, August 21, 2013

Content Security Policy? 26 Wednesday, August 21, 2013

Use HTTPS No excuses, just do it 27 Wednesday, August
21, 2013

But what about BREACH? It’s all about guessing... 28 Wednesday,
August 21, 2013

Uses HTTP-level compression Reﬂect user input in body Reﬂect a
secret (CSRF) 29 Wednesday, August 21, 2013

Return fast <?php /* Bad practice */ function foo($bar) {
if ($bar == true) { /* Lots of code here... */ } else { return false; } } //----------------------------------- /* Good practice */ function foo($bar) { if ($bar !== true) { return false; } /* Lots of code here... */ } ?> 30 Wednesday, August 21, 2013

Password hashing <?php /* in PHP 5.5+ */ $hash =
password_hash($password, PASSWORD_BCRYPT, [‘cost’ => 12]); /* Prior to PHP 5.5+ */ $lib = new \PasswordLib\PasswordLib(); $hash = $lib->createPasswordHash($input); \phpSec\Crypt\Hash::$_method = \phpSec\Crypt\Hash::BCRYPT; $hash = \phpSec\Crypt\Hash::create($input); $bcrypt = new \Zend\Crypt\Password\Bcrypt(); $hash = $bcrypt->create($input); ?> https://github.com/icrmaxell/password_compat 31 Wednesday, August 21, 2013

Encrypted sessions <?php /* Set custom session handler */ session_set_save_handler(
‘open’, ‘close’, ‘read’, ‘write’, ‘destroy’, ‘gc’ ); /* Using the handler interface */ class CustomSessionHandler extends SessionHandlerInterface { /* Code goes here */ } $handler = new CustomSessionHandler(); session_set_save_handler($handler, true); ?> https://github.com/enygma/shieldframework/blob/master/Shield/Session.php 32 Wednesday, August 21, 2013

Least privilege <?php /* “Fail fast” for user handling */
function checkAccess($user, $resource) { if (!$user->allowed($resource) { return false; } /* Other permission checking here */ } /* “Fail least” for user handling */ function checkAccess($user, $resource) { if ($user == null) { return false; } if ($resource == null) { return false; } /* Other permission checking here */ } ?> 33 Wednesday, August 21, 2013

Fail securely <?php /* Custom error handler */ set_error_handler(function($num, $str,
$file, $line) { echo ‘ERROR: [‘.$num.’] ‘.$str; }); /* Custom exception handler */ set_exception_handler(function($exception) { echo ‘Uncaught exception: ‘.$exception->getMessage(); }); ?> 34 Wednesday, August 21, 2013

And others... Authentication & Authorization Secure storage Secure resource access

Planning for the Future 36 Wednesday, August 21, 2013

Developer Training 37 Wednesday, August 21, 2013

Code Evaluation 38 Wednesday, August 21, 2013

Secure Coding Standard 39 Wednesday, August 21, 2013

Secure Coding Standard Handling auth* Filtering practices/tools Proper conﬁgurations Trust
boundaries Customer data handling 40 Wednesday, August 21, 2013

Secure Code Reviews 41 Wednesday, August 21, 2013

Secure Code Reviews Set objectives & limit Use questions related
to your app Review incrementally Review for security only Reﬂect common issues in coding standards 42 Wednesday, August 21, 2013

Policies & Processes Testing Environments Development Architecture The Evolution To...

Reduce Risk Exploitability Prevalence Detectability Impact + 45 Wednesday, August
21, 2013

Fixing secure development takes more than just knowing the problems.

Thanks! @enygma @websecquickﬁx http://websec.io http://phpdeveloper.org http://github.com/enygma 47 Wednesday, August 21,
2013

http://mashery.com/careers 48 Wednesday, August 21, 2013

Writing Secure PHP Applications

Writing Secure PHP Applications

More Decks by Chris Cornutt

Other Decks in Technology

Featured

Transcript